Unlocked bootloaders and custom recoveries on Nexus devices

If you have ever rooted your Nexus device then you probably know that you first have to unlock your bootloader if you want to flash a new factory image or custom ROM. So here’s the famous:

fastboot oem unlock

Security issues

When unlocking your bootloader however your whole device data is wiped. But why is that? Actually when the bootloader is unlocked then you open all doors to the device. Even when your phone is locked with a pin code someone could still boot into the bootloader, flash a custom recovery, and from here be able to access your device data.

BootUnlocker to the rescue!

Ideally you unlock your bootloader, flash a new Nexus factory image and then re-lock your bootloader again. However if you need to flash another factory image two weeks later then you have to unlock your bootloader again and your device is first wiped before you can flash a new image.

But there’s an app for that! BootUnlocker allows to to lock/unlock your bootloader without the need to wipe your data. From a security perspective of course that makes only sense if you have applied a pin code, unlock pattern, or a similar protection.

https://play.google.com/store/apps/details?id=net.segv11.bootunlocker

Currently the app doesn’t work on all Nexus devices yet. Among the supported devices are the Galaxy Nexus, Nexus 4, or Nexus 10. The Nexus 7 is not supported because Asus have implemented some more security to their devices and don’t allow to modify the bootloader this easily.

But wait… what about Custom ROMs?

Typically you are using a custom recovery (ClockworkMod being the standard) which you are using for flashing your ROMs, framework modifications or be it only the latest Superuser binaries.

But unlike official factory images Custom ROMs can not be flashed from the bootloader. A custom recovery is needed that allows you to flash unsigned files.

Now even when you lock your bootloader (after flashing a Custom ROM) then you still got your doors wide open because everyone could just boot into recovery mode and use it to access your device.

I’m not saying this is so much of a critical issue and that you should immediately stop using custom ROMs but at least you should be aware of what you are doing! If you lose your Android phone then chances are good that a thief does not know about custom recoveries and the like. Nevertheless it still would be great if the device was more secure!

Possible solutions

Usually you are using the fastboot tool to flash a custom recovery:

fastboot flash recovery your_recovery_image

Alternatively the tool allows you to directly boot a custom recovery (without flashing it permanently). So you can boot into the recovery, do your business like usual, but on the next reboot you are back to the stock recovery:

fastboot boot your_recovery_image

This command only works if your bootloader is unlocked, but unfortunately it’s more complicated for you to access your recovery. Gone are the times when you could quickly boot into recovery to flash a zip!

Call for more security to Custom recoveries

In an ideal world you would have the best security together with the best possible freedom for yourself! It would be nice if you could use a Custom recovery but rely on the security that not everyone can use it! So here’s my call to all recovery developers:

Please add some kind of protection level to your custom recoveries! On every PC you can setup a password to protect CMOS settings so you can too! Adding a password protection would be so much of a better feature than big ugly styled touch buttons! Thank you!